RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-17 10:32:44 +01:00
Code Releases Activity

sys/fmt: fix overflow in fmt_u32_dec()

Browse Source 
If the value was 10 digits long it caused an overflow in the multiply loop.
The case is now tested before looping over.
This commit is contained in:
Vincent Dupont 2017-12-07 17:43:25 -08:00
parent 36ebe5613f
commit 43a902b1ab
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys/fmt/fmt.c
View File

@ -164,8 +164,14 @@ size_t fmt_u32_dec(char *out, uint32_t val)
size_t len = 1; size_t len = 1;
/* count needed characters */ /* count needed characters */
for (uint32_t tmp = 10; tmp <= val; len++) { /* avoid multiply overflow: uint32_t max len = 10 digits */
tmp *= 10; if (val >= 1000000000ul) {
len = 10;
}
else {
for (uint32_t tmp = 10; tmp <= val; len++) {
tmp *= 10;
}
} }
if (out) { if (out) {

9
tests/unittests/tests-fmt/tests-fmt.c
View File

@ -81,7 +81,7 @@ static void test_fmt_u64_hex(void)
static void test_fmt_u32_dec(void) static void test_fmt_u32_dec(void)
{ {
char out[9] = "--------"; char out[11] = "----------";
uint32_t val = 12345678; uint32_t val = 12345678;
uint8_t chars = 0; uint8_t chars = 0;
@ -89,6 +89,13 @@ static void test_fmt_u32_dec(void)
TEST_ASSERT_EQUAL_INT(8, chars); TEST_ASSERT_EQUAL_INT(8, chars);
out[chars] = '\0'; out[chars] = '\0';
TEST_ASSERT_EQUAL_STRING("12345678", (char *) out); TEST_ASSERT_EQUAL_STRING("12345678", (char *) out);
memset(out, '-', sizeof(out));
val = 1234567890;
chars = fmt_u32_dec(out, val);
TEST_ASSERT_EQUAL_INT(10, chars);
out[chars] = '\0';
TEST_ASSERT_EQUAL_STRING("1234567890", (char *) out);
} }
static void test_fmt_u16_dec(void) static void test_fmt_u16_dec(void)